7.7.5     Key validation points

This is NOT the latest copy of this book; click here for the latest version.

Lest you forget why we actually bother validating input, it is because the golden rule of user input is "never trust user input". That means exactly what it says: never trust anything that comes from users. Most of your users will be nice people who want to use your site as you expect them to, however there are some very malicious people out there who hack, cheat, and steal using any means they can - don't let yourself become their next victim!

Above and beyond the golden rule, there are several key things you need to keep in mind when working with user variables:

• If you are not using magic quotes, always use addslashes() when working with user input destined for databases. In addition, always use addslashes() whenever your user input will be inside quotes.

• Consider using strip_tags() to make sure people cannot insert rogue HTML into your pages.

• Never include() a file using a variable unless you are certain the variable cannot come externally. While include($var); might look nice on the surface, it does not take much effort for your users to set $var to be a sensitive file on your system.

• Always remember that your users might submit no value at all, in which case you need to check for a variable's existence before you check its value.

• Don't assume that client-side validation is enough - users can easily disable scripting on their machine, or find other ways around your client-side verification

• Remember that users can enter "Elephant" for their age - don't assume that users entered anything like what you asked them to.

• Variable variables and variable functions that rely on user input should be viewed with extreme caution: don't give your users any such easy chances to damage your system with bad input.